Post B0wbi23KtHSm4RBMBc by mcc@mastodon.social
(DIR) More posts by mcc@mastodon.social
(DIR) Post #B0wbhoAGWiggzsJh2m by mcc@mastodon.social
2025-12-04T23:20:10Z
0 likes, 0 repeats
So here's what stops me from using Passkeys.- I want Passkeys.- I want to use "BitWarden".- BitWarden can use passkeys on all my platforms incl Android.- However, I do not install BitWarden on all my computers, because I don't trust some of them to hold my BitWarden vault.- This means I have to have a way of "airgapping" the passkey— some way of using a passkey on a phone, is a computer.- The ONLY way to do this the FIDO Alliance allows requires Bluetooth.- My computer doesn't have that.
(DIR) Post #B0wbhozJSvWLYCCSbw by cthos@mastodon.cthos.dev
2025-12-05T00:30:39Z
0 likes, 0 repeats
@mcc "Allows" is incorrect, as far as I'm aware. The spec does not disallow using a passkey from an authenticator over (say) the USB transport (otherwise yubikeys would be useless?) - but no one has implemented this with a phone-based authenticator.
(DIR) Post #B0wbhpjOhaNrr7lGRU by mcc@mastodon.social
2025-12-05T00:42:05Z
0 likes, 0 repeats
@cthos The constituent companies of the FIDO Alliance seem to have strong opinions about how it should be used, and some of them can potentially prevent me from running software. Google for example has at the moment a significant amount of power over my phone, and ideally I'd be able to use my passkey manager in conjunction with Chrome.Also it seems they really can enforce this with "attested keys", which have DRM, but I'm assured it's unlikely those will ever be widely adopted.
(DIR) Post #B0wbhqKyRsRRjfLH0q by ignaloidas@not.acu.lt
2025-12-05T16:48:44.264Z
0 likes, 0 repeats
@mcc@mastodon.social @cthos@mastodon.cthos.dev key attestation is there more for usecases of banks or similar high-impact environments. Getting the RPs to rely on attestation is not really realistic, because each one can make decisions on it's own, freely, and few have any incentives to reduce how many key types work with them.
(DIR) Post #B0wbhsWOKOlMVehQ5Q by mcc@mastodon.social
2025-12-04T23:24:01Z
0 likes, 0 repeats
I don't want to enable Bluetooth on my phone and I don't want to buy a Bluetooth card for my aging desktop. Moreover FIDO views "airgapping" as a security risk. They believe that banning "airgapping" is a necessary component of "anti-phishing", and "anti-phishing" is a highest-priority goal of the FIDO alliance. "Anti-phishing" is not a goal I have, but it is SO important to the FIDO alliance they'd rather I not use passkeys at all than me have passkeys but be allowed to airgap them.
(DIR) Post #B0wbhx9B88AKr6sS6C by mcc@mastodon.social
2025-12-04T23:31:34Z
0 likes, 0 repeats
So, here's my solution: Fork BitWarden, and fork its Firefox extension. Add some kind of special wifi handshake, that allows me to keep BitWarden on my phone, and have the passkey/password autofill on the untrusted computer's browser WebAuthn with passwords or passkeys as needed tunneled encrypted from the phone, and the traffic goes over TCP/IP rather than bluetooth.I think this would work, and be safe but I think also the FIDO alliance would call what I'm doing here "phishing".
(DIR) Post #B0wbi23KtHSm4RBMBc by mcc@mastodon.social
2025-12-04T23:33:26Z
0 likes, 0 repeats
So I wonder about this. The thing I want is supposed to be impossible, and FIDO tries to put technical measures in place to make it impossible. But passkeys have been implemented by open source applications. So technically I don't see how they stop me.There's another weird thing. [EDIT: removed outdated statement about Firefox support]; and the BitWarden site seems to imply Passkeys require Google Play Services. What? Problematic, as I am moving to Lineage or something soon.
(DIR) Post #B0wbi6yuZ9tXMA9OU4 by mcc@mastodon.social
2025-12-04T23:37:33Z
0 likes, 0 repeats
Wait. Are Passkey apps literally banned from being properly open source?https://peoplemaking.games/@leon/115663918924867641If what Leon speculates here is the case, doesn't that imply you literally cannot write a GPL3-compliant Passkey implementation, as your build-time signing keys would have to be part of the chain of trust and this would violate the GPL3's rules against such signing keys being secret-but-mandatory?
(DIR) Post #B0wbsWa6F1tDeHVhUu by ignaloidas@not.acu.lt
2025-12-05T16:50:42.485Z
0 likes, 0 repeats
@mcc@mastodon.social I'm not sure from where you see FIDO alliance seeing airgapping as a security risk? Or how would that be a necessary component of anti-phishing?
(DIR) Post #B0wcS94F8txN9Aax1s by ignaloidas@not.acu.lt
2025-12-05T16:57:09.195Z
0 likes, 0 repeats
@mcc@mastodon.social I don't see how this would be "phishing"??Assuming you implement proper user presence/authentication, and sufficiently protect the channel, this should be about ok in FIDO's books? At most, they'd maybe want a QR code on top.also, it's just a tool, use it however you need to
(DIR) Post #B0wcmmiXR19FuWHguG by ignaloidas@not.acu.lt
2025-12-05T17:00:52.914Z
0 likes, 0 repeats
@mcc@mastodon.social There's absolutely 0 technical measures from FIDO to make this impossible, I don't know where you're getting that fromThere's no measures to make this easier, yesbut like, AFAIK google in it's own private fork of chrome, that has a remote desktop thing, has a way to proxy webauthn credentials from your computer to the one you're connecting to
(DIR) Post #B0wcsYXx2BOfhM5I6i by ignaloidas@not.acu.lt
2025-12-05T17:01:55.838Z
0 likes, 0 repeats
@mcc@mastodon.social nobody cares about attestation, nobody ever will, it's a bugbear of webauthn that people keep bringing up